June 2, 2023 update: Gigabyte has issued an official statement informing us that they have uploaded beta BIOS options to Gigabyte's official website that address the security issues highlighted in the Eclypsium report.Intel 600 and 700 series series, AMD 400 and 500 series firmware updates have been released, and beta BIOS releases for the Intel 400 and 500 series and AMD 600 series will be available soon.
However, a quick check of several B550 boards on Eclypsium's list revealed that while new firmware for the Intel boards was available, a new BIOS update was not yet available.
After the Asus fiasco, I am awaiting a response confirming that the use of a beta BIOS will not affect the motherboard's warranty.
As for what GIGABYTE has done to shore up the security vulnerabilities:
To enhance system security, GIGABYTE has implemented more stringent security checks during the operating system boot process.
To enhance system security, GIGABYTE has implemented more stringent security checks during the operating system boot process. These measures are designed to detect and prevent possible malicious activity and provide users with enhanced protection:
1. Signature Verification: GIGABYTE has enhanced the verification process for files downloaded from remote servers. This enhanced verification ensures the integrity and legitimacy of content and thwarts attempts by attackers to insert malicious code.
2. Privileged Access Restrictions: GIGABYTE has enabled standard cryptographic verification of remote server certificates. This ensures that files are only downloaded from servers with valid and trusted certificates, providing an additional layer of protection.
Originally published June 1, 2023: Not a good time to be a motherboard manufacturer. First, Asus risks burning out Ryzen processors with excessive voltage settings in its firmware (even a supposed "fix"), and now Gigabyte is accused of using the same kind of backdoor technology as "threat actors" looking to hack into systems.
The vulnerability was discovered by security firm Eclypsium (via Wired), which notes that there are millions of Gigabyte motherboards on the loose with the same invisible firmware update mechanism.
"We are working with Gigabyte to address this insecure implementation of the App Center feature. To protect organizations from malicious actors, we are also publicly disclosing this information and defensive strategies on an accelerated timeline over general vulnerability disclosures."
Eclypsium has published a list of affected motherboards (pdf warning), and basically if you have a modern Gigabyte motherboard, your current mobo may be on this extensive list. There are reportedly 271 different models on the list, but the pdf file is over 3 pages and spans 3 columns in a fairly small typeface, so it doesn't count. However, we have not counted the pdf file because it exceeds three pages and spans three columns in a fairly small typeface. [The vulnerability affects both platforms.
In theory, someone on the same network as your machine could intercept Gigabyte's insecure updater and simply point it to a different URL than the standard firmware repository. The worst part of this is that one of the three downloadable locations uses a plain HTTP address instead of the much more secure HTTPS. 25]
Eclypsium states that they currently do not believe there has been active exploitation of this vulnerability Although it states that "an active, pervasive backdoor that is difficult to remove poses a supply chain risk for organizations with gigabyte systems."
The company also states that it does not believe that there has been any active exploitation of the vulnerability.
The potential risks and impacts are listed as follows:
The whole thing takes place during the Windows startup process, and Gigabyte's updater can download and execute payloads from various locations on the Internet without any input from the user. The entire process takes place during the Windows startup process.
The fact that one of these locations is an insecure HTTP address means that it is easily compromised by so-called machine-in-the-middle attacks; Eclypsium also notes that even HTTPS addresses are vulnerable to the same attacks because the actual remote certificate verification (the which should theoretically be more secure) are not properly implemented and are therefore vulnerable to similar attacks.
This is something of a security nightmare if you are running your organization on a gigabyte-based system. However, it is still not a good feeling to know that an insecure Wi-Fi network could be loading something onto your machine without you knowing what it is.
What you can do to protect your privately owned machine is to check the BIOS of your PC and disable the "APP Center Download & Install" feature. You can also set a BIOS password to avoid future changes that you did not choose to make.
To enter the BIOS, press the Del or F2 key during the short startup window, or hold down the Shift key and restart the PC from Windows. Then the Startup Options screen will appear and you can enter the UEFI BIOS.
We have reached out to Gigabyte for comment and will update as soon as we hear anything back.
.
Comments